Identifying and processing an unauthorized access request

ABSTRACT

The system reuses the classic User ID &amp; Password combination for authentication and adds a third component called a USE code for additional authorization check, as an example. This method allows access to a system when it is requested with correct User ID and Password (i.e., with correct pass code) but with an unauthorized USE code, the system identifies it as an unauthorized access and triggers the proper security measures to minimize the damage and monitor the actions in a way not to alarm the unauthorized user who is using the owner&#39;s credential to access the system. The USE Code is an extension to the pass code to raise various alarms and have a stepwise access level control based on different inputted values.

This is a Cont. of another Accelerated Exam. application, Ser. No.12/020,540, filed Jan. 26, 2008, to be issued in January 2009, as a USPatent, with the same title, inventors, and assignee, IBM.

BACKGROUND OF THE INVENTION

Usual secured system access is based on the requirement of two codesfrom the user, his/her username affected to a specific user account anda corresponding password or pass code. Both the username and the passcode define the two components of the system access data affected to auser account from that secured system. The access to the system isgranted if the combination of username and pass code is validirrespective of the situation how and/or who entered that access data.

System access data of usual pass code-secured systems are built from a2-tuple of the components user accounts and pass code:

System access data_(old)=(user account, pass code)

There is no possibility to differentiate the use of system access datalike avoiding a misuse of the user account once both components aredisclosed.

After the disclosure of the valid system access data to the unauthorizedperson, misuse of the user account happens and security actions will notstart until the owner is able to trigger them.

If it was a fake disclosure to avoid loss of property by providing aninvalid user account/pass code combination, the owner (disclosingperson) risks health, because the unauthorized user will find the accessfailure immediately and as a reaction the disclosing person may faceimmediate danger.

SUMMARY OF THE INVENTION

One embodiment reuses the classic User ID & Password combination forauthentication and adds a third component called a USE code foradditional authorization check. This embodiment (as an example) allowsaccess to a system when it is requested with correct User ID andPassword (i.e., with correct pass code) but with an unauthorized USEcode, the system identifies it as an unauthorized access and triggersthe proper security measures to minimize the damage and monitor theactions in a way not to alarm the unauthorized user who is using theowner's credential to access the system. The USE Code utilized by thisinvention could have different permutations. These permutations couldlimit access to some or part of the system that is being attempted to beaccessed. For example, in case of Bank accounts, the USE Code can allowthe daily limit withdrawals to be immediately decreased. In case ofsecure building, the USE Code can be used for access to certain areasbut not all, and in case of vehicles, the USE Code can be used to accessthe inside of a vehicle but lock the engine.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic diagram of the system in its entirety

FIG. 2 is a schematic diagram of the Use Code and different levels ofsecurity that can be created by the Use Code

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

An example of this invention addresses the problem of user ID andpassword credential getting compromised by an unauthorized third partywho is accessing the system either:

-   -   1) while the system is not aware of the compromise (i.e. giving        full access based in the authorization of the owner), or    -   2) When the outright and total prevention of access (e.g.,        denying the access at the logon prompt) is not desired because        it may alert the third party intruder.

It is proposed to affect a third component (use code) to the first twoto allow differentiating a use mode of the two first components. In sucha way, that it would be possible to extend the two valued component(authorized, unauthorized) to a variety of authorized use mode or cases.

An example of this invention can be used for ATM machines, Bankaccounts, Computer Systems Authorization, accessing secure buildings andin general any access that requires a username and a password asdemonstrated by FIGS. 1 and 2.

System access data will be extended by adding one component, the usecode, to the 2-tuple (user account, pass code) to build a 3-tupleconsisting of the components user account, pass code and use code:

system access data_(new)=(user account, pass code, use code) (item 108,110, 112)

The use code carries the information if access to the system isrequested by an authorized user or by an unauthorized user. Automatedaction is triggered by the system depending on the use code value (e.g.special security handling, 114).

An example of this invention reuses the classic User ID & Passwordcombination for authentication and adds a third component called a USEcode for additional authorization check. (116) This embodiment allowsaccess to a system when it is requested with correct User ID andPassword (i.e., with correct passcode) but with an unauthorized USEcode, the system identify it as an unauthorized access and triggers theproper security measures to minimize the damage and monitor the actionsin a way not to alarm the unauthorized user who is using the owner'scredential to access the system. (118, 120, 122, 124)

Beyond binary nature of authorized versus unauthorized, there could beother authorization levels associated with multiple USE codes thatfurther tighten access to the applications or data for which the actualpasscode owner is authorized to use. This helps in delegation scenarioswhere the user authorizes a third party to use his/her passcode toaccess the system while limiting the type of access based on the USEcode. (210, 212, 214, 216, 218, 220, 222)

In one embodiment the system is A method for identifying and processingan unauthorized access request to a system, the method comprising thesteps of:

An authentication module receiving a variable length access code and acorresponding user ID;

Wherein the variable length access code comprising a variable lengthpassword and a variable length use code;

starting from a first bit of information on the variable length accesscode, and scanning through the variable length access code, bit by bit,until a matching password is recognized using a hash function of thevariable length password for the corresponding user ID, or until thelast bit of the variable length access code is reached;

If the matching password is recognized, dividing the variable lengthaccess code into the variable length password and the variable lengthuse code;

if the variable length access code is divided into the variable lengthpassword and the variable length use code, comparing the variable lengthuse code with a list of all possible use codes;

in case of the variable length use code matching with a first entry inthe list of all possible use codes, the authentication module allowingfull access to the system;

in case of the variable length use code matching with a second entry inthe list of all possible use codes, the system slowing down;

in case of the variable length use code matching with a third entry inthe list of all possible use codes, the system becoming locked;

in case of the variable length use code matching with a fourth entry inthe list of all possible use codes, the authentication module notifyingauthorities, security personnel, or police;

in case of the variable length use code matching with a fifth entry inthe list of all possible use codes, the authentication module limitingthe access to the system;

in case of the variable length use code matching with a sixth entry inthe list of all possible use codes, the authentication module allowingfull access to the system, and the authentication module notifyingauthorities, security personnel, or police;

in case of the variable length use code matching with a seventh entry inthe list of all possible use codes, the authentication module allowing alimited access to the system, and the authentication module notifyingauthorities, security personnel, or police;

in case of the variable length use code matching with an eighth entry inthe list of all possible use codes, the system malfunctioning;

in case of the variable length use code matching with a ninth entry inthe list of all possible use codes, starting camera monitoring;

in case of the variable length use code matching with a tenth entry inthe list of all possible use codes, the authentication module activatinga silent alarm;

in case of the variable length use code matching with an eleventh entryin the list of all possible use codes, the authentication modulesimulating software corruption; and

in case of the variable length use code matching with a twelfth entry inthe list of all possible use codes, providing wrong or incompleteinformation to the user.

In the above embodiment, the system includes the following features:

-   -   Security front module gets user ID, password, and use code from        the accessing user.    -   Security module examines the user ID and password to see if the        combination authenticates to a valid account owner.    -   If not, the system performs a regular security handling for        denying access when the user ID and password combination is        invalid.    -   If yes, the USE code module examines whether the specified use        code correspond to a valid authorized Use code corresponding to        the owner's account.    -   If valid owner authorized Use code was specified, the system        performs a regular security handling for when the account owner        logon to the system, i.e. it provides the full authorization        corresponding to the owner's account.    -   If valid authorized Use code with special meaning was specified,        the system will modify and limit the system functionality based        on the authorization level associated with the Use code to a        predefined limited access privileges.    -   If an invalid authorized Use code was specified, the system        invokes special security handling for the access.    -   Special security handling provides the same external behavior to        the accessing user as it would to the account owner.    -   Special security handling triggers special security actions        without notification to the accessing user.    -   Special security actions comprise of starting security        monitoring sessions, constricting and further limiting user        access, simulating system problems such as unavailable resources        or computer virus problems, slowing the response time, and        notifying the security personnel (in case of computer access)    -   Special security actions comprise of starting security        monitoring e.g. transferring GPS position on a defined channel,        simulating car problems such as engine failure or running out of        fuel, slowing the response time, and notifying the security        personnel (in case of automobile access)    -   Special security actions comprise of starting security        monitoring sessions, transferring GPS position if any,        constricting and further limiting user access to data,        simulating system problems such as booting problem or power        failure, slowing the response time, and notifying the security        personnel (in case of mobile phone)    -   Special security actions comprise of starting security video        monitoring and on-line camera monitoring, limiting amount of        money transfer, simulating system problems such as ATM problem        or power failure, slowing the response time, and notifying the        security personnel (in case of bank account access)

In another embodiment the system can implement the Use Code in oneletter found in the password identified by its location in the password;OR Separate Used code from password; OR having variable password lengthand appending the Use code to the password. The variable length makes itharder to guess the password, by the hackers. The system uses aloop/iterative function to examine and find/ match the password, bit bybit, starting from the first bit.

A system or apparatus that has some of the following items is an exampleof this invention: ATM machine, automatic bank teller, computer runningthe whole process and method described above, laptop, car, alarm, ormobile phone.

Any variations of the above teaching are also intended to be covered bythis patent application.

1. A system for identifying and processing an unauthorized accessrequest to a secured module, said system comprising: an authenticationmodule; and a password recognition module; wherein said authenticationmodule receives a variable length access code and a corresponding userID; said variable length access code comprises a variable lengthpassword and a variable length use code; wherein, from a first bit ofinformation on said variable length access code, scanning is startedthrough said variable length access code, bit by bit, until a matchingpassword is recognized using a hash function of said variable lengthpassword for said corresponding user ID, or until the last bit of saidvariable length access code is reached; if said matching password isrecognized, said variable length access code is divided into saidvariable length password and said variable length use code; if saidvariable length access code is divided into said variable lengthpassword and said variable length use code, said variable length usecode is compared with a list of all possible use codes; in case of saidvariable length use code matching with a first entry in said list of allpossible use codes, said authentication module allows full access tosaid secured module; in case of said variable length use code matchingwith a second entry in said list of all possible use codes, said securedmodule slows down; in case of said variable length use code matchingwith a third entry in said list of all possible use codes, said securedmodule becomes locked; in case of said variable length use code matchingwith a fourth entry in said list of all possible use codes, saidauthentication module notifies authorities, security personnel, orpolice; in case of said variable length use code matching with a fifthentry in said list of all possible use codes, said authentication modulelimits the access to said secured module; in case of said variablelength use code matching with a sixth entry in said list of all possibleuse codes, said authentication module allows full access to said securedmodule, and said authentication module notifies authorities, securitypersonnel, or police; in case of said variable length use code matchingwith a seventh entry in said list of all possible use codes, saidauthentication module allows a limited access to said secured module,and said authentication module notifies authorities, security personnel,or police; in case of said variable length use code matching with aneighth entry in said list of all possible use codes, said secured modulemalfunctions; in case of said variable length use code matching with aninth entry in said list of all possible use codes, a camera monitors;in case of said variable length use code matching with a tenth entry insaid list of all possible use codes, said authentication moduleactivates a silent alarm; in case of said variable length use codematching with an eleventh entry in said list of all possible use codes,said authentication module simulates software corruption; and in case ofsaid variable length use code matching with a twelfth entry in said listof all possible use codes, wrong or incomplete information is providedto said user.